Four Ways Ransomware Can Destroy Your Backups

I just found a very interesting blog post by Jerome Wendt, President & Lead Analyst of DCIG, Inc., an independent storage analyst and consulting firm.

He started out with “The prevailing wisdom is that if you back up your data you can recover from a ransomware attack. While this premise generally holds true, simply backing up your data no longer provides an absolute guarantee that you can recover from a ransomware attack. Here are three techniques that ransomware may use to circumvent existing backups and make your “good” backups bad.” And I have added number 4 at the end as a bonus.

Finding and encrypting backups on network file shares. Many backup products backup data to file shares accessible over corporate networks. Further, many organizations use the default directory name created by these backup products to store these backups. The default names of these directories are readily accessible in the documentation published by backup providers. Some creators of ransomware have figured this out. As part of their viruses that find and encrypt data on production servers, they also probe corporate networks for these default backup directories and encrypt the backups in these directories. In so doing, they increase the possibility that companies cannot recover from backups.

Hacking the backup software’s APIs. A number of enterprise backup software products offer their own application programming interface (API). Using these APIs, organizations can write to them to centralize backup and recovery under their broader data center management platform. However, ransomware creators can also access these published APIs for nefarious purposes and used them to corrupt and/or encrypt existing backup.

Plant a ransomware “time bomb.” To date, when ransomware encrypts a company’s data, the encryption generally occurs as soon as or shortly after it gets onto the corporate network. However, ransomware continues to evolve and mature and, as it does so, it grows both more patient and more insidious. Rather than encrypting data as soon as it breaches the corporate firewall, it begins to infect the data but does not immediate encrypt it. Then, only after days, weeks, or months go by and this infected data has been backed up for months does it initiate the encryption of the corporate data. In many respects, this is the worst type of ransomware attack. Not only is all of a company’s production data encrypted, the company thinks it has “good” backups and when it goes to restore the data, the restored data encrypts as well because it was infected when it was backed up. This may make it almost impossible for an organization to determine when it was initially infected and which of their backed up data they can reliably and confidently restore.

Delete your Shadow copies. You know about this one, several major strains have been doing this for a few years now, and are constantly improving this part of their malicious code.

Wendt concluded: “Ransomware arguably represents one of the most insidious and dangerous threats that organizations currently face to the health of their data. The inability to access and recover from a ransomware attack may put the very survival of a company at risk. To counter this risk, many look to backup software as their primary means to recover from these attacks. But as ransomware takes aim at backup software, organizations need to take a fresh look at their backup software to make sure that it has the right set of features to counter these newest forms of ransomware attacks to ensure they have a verifiable path to recovery.

RELATED ARTICLES:

Network Security

So if you found a USB Stick in the parking lot this morning, what would you do? What if you found one in the course of your job, in a rental car, or in a “Lost & Found” box in your office? You would be curious to see what is on the drive or inclined … Continued

Network Security

In a report conducted by Osterman Research and sponsored by Malwarebytes, more than 1,000 small and medium-sized businesses were surveyed in June 2017 about ransomware and other critical security issues. What we discovered was surprising—ransomware authors aren’t only targeting enterprise businesses for big payouts. They’ve got their greedy gaze on businesses of all sizes. In … Continued

Network Security

A white hacker recently developed a working ransomcloud strain that encrypts cloud email accounts like Office 365 in real-time. A scary thought when so many organizations trust the cloud and software manufacturers like Microsoft to keep their information secure.